Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

We are currently undergoing a EU MDR audit. The reviewer wrote a major nonconformance because we did not include EU MDR in our internal audit schedule on last year (2021). We had a mock EU MDR audit late 2020 through an external company. We then established a project team to address the nonconformances in 2021. In 2022, we added EU MDR to our internal audit schedule in hopes to show this during our EU MDR audit. The auditor is stating that we are not able to demonstrate compliance to EU MDR because we didn't include it in our internal audit schedule in 2021 and did not audit to EU MDR last year. We did however include MDD as this is the certification we currently hold. Does any one have any insight into this? I totally disagree with needing to perform internal audits to a regulation in which you don't hold a certification, but I wanted to get your insight.

There are a few issues here, so let me break them down.

If the EU-MDR auditor wrote a nonconformance, then there must be a requirement that the QMS failed to satisfy. The audit nonconformance must state this requirement, and apparently it does not. Refuse the nonconformance as incorrect until it includes a statement of the requirement. Otherwise, it is just the auditor's opinion. Also, I don't think there is such a requirement.

You say that you comply with the MDD and not the MDR, but this cannot be quite right. To keep your products on the market after May 2021 you must implement the MDD as modified by the MDR Article 120. If you not implemented the Article 120 requirements, then that would be a correct nonconformance if it were correctly written.

There is a larger issue here of well. I don't know of any EU-MDR requirement to stablish an internal audit program that includes the EU-MDR. However, EN ISO 13485:2016/A11:2021, 8.2.4.a requires the internal audit program to determine whether the quality management system conforms to applicable regulatory requirements. The EU-MDR Article 120 does include some QMS requirements for Art. 10, so if your QMS does not implement them, then an audit nonconformance against this 13485 requirement would be appropriate.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 29-Mar-2022 20:57
From: Anonymous Member
Subject: Internal Audit (EU MDR)

This message was posted by a user wishing to remain anonymous

We are currently undergoing a EU MDR audit. The reviewer wrote a major nonconformance because we did not include EU MDR in our internal audit schedule on last year (2021). We had a mock EU MDR audit late 2020 through an external company. We then established a project team to address the nonconformances in 2021. In 2022, we added EU MDR to our internal audit schedule in hopes to show this during our EU MDR audit. The auditor is stating that we are not able to demonstrate compliance to EU MDR because we didn't include it in our internal audit schedule in 2021 and did not audit to EU MDR last year. We did however include MDD as this is the certification we currently hold. Does any one have any insight into this? I totally disagree with needing to perform internal audits to a regulation in which you don't hold a certification, but I wanted to get your insight.

You have a tricky scenario on your hands; I can understand your pain about a notified body's issuance of a nonconformity regarding a certification that you don't yet hold.  On the other hand, the notified body must confirm that you are fully compliant before issuing the certification.  There's a chicken-and-egg dynamic there.  In the end, you may be fighting a losing battle if you choose to argue.  Indeed, the notified body's governing standard generally demands writing up a Nonconformity for nonconformance at the pre-certification audit even though the auditee isn't yet certified.  Consequently, it is typical that Nonconformities will be issued at the pre-certification stage if the auditee hasn't yet demonstrated full conformity.

Don't overlook the fact that EU MDR Article 10(9) third paragraph indent (a) (strategy for regulatory compliance) and (m) (processes for monitoring and measurement) would generally be the EU MDR elements that demand inclusion of the EU MDR in the scope of the internal audit program. Moreover, a recognized state-of-the-art standard for auditing of quality management systems (ISO 19011 as amended), as well as ISO 13485 (if applied), require applicable regulatory requirements to be included in the internal audit program and schedule.  That said, there is certainly no EU MDR legislative requirement demanding EU MDR internal auditing each year.

But getting back to the heart of your frustration, I can say that if you haven't yet performed an internal audit against the EU MDR formally using your internal audit process (rather than just having a mock audit), then the basis on which a notified body could justify a nonconformity is this:  It could be argued that it's impossible to objectively show compliance with the aforesaid Article 10(9) provisions without such an internal audit.  Indeed, the proper integration and execution of internal auditing against the EU MDR are exercises that raise different questions than does the exercise of having a mock audit.

Ultimately, isn't it an easy fix to just do an EU MDR internal audit?  Perhaps you already have folks in your organization that can do them.  Or, there are plenty of experts here in the Forum that do them regularly for our clients.  This can be accomplished via a relatively short internal audit.  That's food for thought, as it could be easier than enduring the notified body's dispute-resolution process, which would generally be more costly and time consuming in the end in case you aren't able to argue the notified body out of its current stance...

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
------------------------------

Original Message:
Sent: 29-Mar-2022 20:57
From: Anonymous Member
Subject: Internal Audit (EU MDR)

This message was posted by a user wishing to remain anonymous

We are currently undergoing a EU MDR audit. The reviewer wrote a major nonconformance because we did not include EU MDR in our internal audit schedule on last year (2021). We had a mock EU MDR audit late 2020 through an external company. We then established a project team to address the nonconformances in 2021. In 2022, we added EU MDR to our internal audit schedule in hopes to show this during our EU MDR audit. The auditor is stating that we are not able to demonstrate compliance to EU MDR because we didn't include it in our internal audit schedule in 2021 and did not audit to EU MDR last year. We did however include MDD as this is the certification we currently hold. Does any one have any insight into this? I totally disagree with needing to perform internal audits to a regulation in which you don't hold a certification, but I wanted to get your insight.

Good evening, I would like to add to the wise words of the two excellent contributors, that for the requirements on compliance of the legacy devices  with the applicable parts of the MDR under the transition period, the MDCG 2021-25 provides a good guidance. md_mdcg_2021_25_en_0.pdf (europa.eu)
This compliance is expected to be audited by the NBs and may be subject of self-audits.

regards

------------------------------
Peter Mikó M.D
ArtPharm Ltd.
Gyermely
Hungary
------------------------------

Original Message:
Sent: 30-Mar-2022 11:40
From: Kevin Randall
Subject: Internal Audit (EU MDR)

You have a tricky scenario on your hands; I can understand your pain about a notified body's issuance of a nonconformity regarding a certification that you don't yet hold.  On the other hand, the notified body must confirm that you are fully compliant before issuing the certification.  There's a chicken-and-egg dynamic there.  In the end, you may be fighting a losing battle if you choose to argue.  Indeed, the notified body's governing standard generally demands writing up a Nonconformity for nonconformance at the pre-certification audit even though the auditee isn't yet certified.  Consequently, it is typical that Nonconformities will be issued at the pre-certification stage if the auditee hasn't yet demonstrated full conformity.

Don't overlook the fact that EU MDR Article 10(9) third paragraph indent (a) (strategy for regulatory compliance) and (m) (processes for monitoring and measurement) would generally be the EU MDR elements that demand inclusion of the EU MDR in the scope of the internal audit program. Moreover, a recognized state-of-the-art standard for auditing of quality management systems (ISO 19011 as amended), as well as ISO 13485 (if applied), require applicable regulatory requirements to be included in the internal audit program and schedule.  That said, there is certainly no EU MDR legislative requirement demanding EU MDR internal auditing each year.

But getting back to the heart of your frustration, I can say that if you haven't yet performed an internal audit against the EU MDR formally using your internal audit process (rather than just having a mock audit), then the basis on which a notified body could justify a nonconformity is this:  It could be argued that it's impossible to objectively show compliance with the aforesaid Article 10(9) provisions without such an internal audit.  Indeed, the proper integration and execution of internal auditing against the EU MDR are exercises that raise different questions than does the exercise of having a mock audit.

Ultimately, isn't it an easy fix to just do an EU MDR internal audit?  Perhaps you already have folks in your organization that can do them.  Or, there are plenty of experts here in the Forum that do them regularly for our clients.  This can be accomplished via a relatively short internal audit.  That's food for thought, as it could be easier than enduring the notified body's dispute-resolution process, which would generally be more costly and time consuming in the end in case you aren't able to argue the notified body out of its current stance...

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 29-Mar-2022 20:57
From: Anonymous Member
Subject: Internal Audit (EU MDR)

This message was posted by a user wishing to remain anonymous

We are currently undergoing a EU MDR audit. The reviewer wrote a major nonconformance because we did not include EU MDR in our internal audit schedule on last year (2021). We had a mock EU MDR audit late 2020 through an external company. We then established a project team to address the nonconformances in 2021. In 2022, we added EU MDR to our internal audit schedule in hopes to show this during our EU MDR audit. The auditor is stating that we are not able to demonstrate compliance to EU MDR because we didn't include it in our internal audit schedule in 2021 and did not audit to EU MDR last year. We did however include MDD as this is the certification we currently hold. Does any one have any insight into this? I totally disagree with needing to perform internal audits to a regulation in which you don't hold a certification, but I wanted to get your insight.